1. Field of the Invention
The present invention relates generally to cryptographic techniques for use in a communications network such as a wireless communications network.
2. Description of Related Art
First generation wireless communications networks were based on analog technologies such as the Advanced Mobile Phone Service (AMPS). Second generation wireless communications networks introduced digital communications technologies such as the Global System Mobile (GSM), IS-136 Time Division Multiple Access (TDMA), and IS-95 Code Division Multiple Access (CDMA). Authentication and Key Agreement (AKA) protocols were developed for first and second generation networks to prevent theft of cellular telephone service, to provide subscriber voice privacy, and provide other security features.
FIG. 1 illustrates a typical cellular telephone or Personal Communication Services (PCS) network. A subscriber, using a Mobile Station (MS) 130 (e.g., a cellular phone), can roam outside of the area covered by their Home Environment (HE) 110 network and obtain wireless communications service from a Serving Network (SN) 120. The HE 110 and SN 120 networks typically include a switch, base station, and other components (not shown), as is known in the art. As is known in the art, the HE 110, SN 120, and MS 130 are controlled by software, firmware, and/or hardware instructions.
The MS 130 often features a removable Universal Subscriber Identity Module (USIM) that resides in the MS 130 to store subscriber Information such as a subscriber's identity, secret key information, and so forth. To simplify descriptions herein, the USIM is considered part of MS 130. However, a subscriber can transfer their USIM into other MS-s 130 to obtain service.
An AKA protocol for second generation wireless communication networks provides MS 130 to SN 120 authentication. In a typical GSM system, the HE 110 and MS 130 share a common 128-bit secret key K. To enable roaming privacy and authentication, HE 110 passes an authentication vector including three pieces of cryptographic data to a SN 120. Each vector includes a random challenge, response, and privacy key.
When MS 130 requests service, SN 120 transmits the random challenge over the air to the MS 130. MS 130 combines the random challenge with the secret key K using a cryptographic primitive (e.g., a hash function) to generate the response. MS 130 transmits the response to SN 120 which compares the response value received from MS 130 with the response value provided by HE 110. If the response values are equal, SN 120 provides system access to MS 130. MS 130 also uses the random challenge and K to create a privacy key that is identical to the privacy key sent from HE 110 to SN 120 as part of the cryptographic triplet. With the same privacy key, SN 120 and MS 130 can securely communicate. In this scheme, the SN 120 need not implement a cryptographic primitive (e.g., a hash function).
A third generation AKA mechanism adopted by the Third Generation Project Partners (3GPP) enhances the original GSM AKA mechanism by enabling mutual authentication between SN 120 and MS 130. The 3GPP AKA mechanism replaces the GSM crypto-triplet vector with a crypto quintet authentication vector (AV) to facilitate MS/SN mutual authentication.
FIG. 2 illustrates formation of an AV by an HE 110. As shown, the AV includes five components concatenated together: (1) the random challenge (RAND), (2) an expected response (XRES), (3) a cipher key (CK), (4) an integrity key (IK), and (5) an authentication token (AUTN). AUTN includes three components: (1) an exclusive- or of a sequence number (SON) and anonymity key (AK), (2) a MODE value, and (3) a message authentication code (MAC). The sequence number indicates the AVs position in a sequence of AVS. Functions f1 through f5 are derived using a cryptographic primitive shared between HE 110 and MS 130. Different values of primitive constants or parameters control which function, f1 through f5, the primitive provides.
When roaming, a MS 130 may be authenticated each time a MS 130 owner places a call. Thus, typically, an HE 110 sends multiple AVs to SN 120 to enable multiple authentications between SN 120 and MS 130.
FIG. 3 illustrates SN 120 authentication in 3GPP AKA. To authenticate SN 120, the MS 130 and HE 110 keep track of counters SQNMS and SQNHE. When HE 110 generates an AV, SQNHE is incremented. MS 130 authentication of SN 120 is performed by ensuring that SQN in each new AV is greater than SON in the previous AV. The MS 130 also verifies that SQNHE originated from the HE 110 by verifying the MAC in the AUTN.
It is possible for the SQN counter in HE 110 and MS 120 to lose synchronization. For this reason, the 3GPP AKA mechanism has SON re-synchronization procedures. If K is reset or replaced for a particular USIM, SQN can be reset at the HE 110 and MS 130.
FIG. 4 illustrates the flow of a typical 3GPP AKA mechanism, When MS 130 requests service from SN 120, SN 120 sends (step 202) an authentication request to HE 130. Upon receiving the request associated with a particular MS 130, HE 110 generates (step 204) an array of AVs for that particular MS 130. HE 110 sends (step 206) the AVs to SN 120 which, in turn, stores (step 208) the AVs in its Visitor Location Register (VLR). SN 120 selects (step 210) the first sequential AV(i) (e.g., i=1) and sends (step 212) RAND(i) and AUTN(i) to MS 130. MS 130 verifies (step 214) AUTN(i) and computes RES(i). If SQN(i) is greater than SQNMS, MS 130 successfully authenticates SN 120. MS 130 sends (step 216) RES(i) to SN 120. SN 120 compares (step 218) RES(i) with XRES(i). If RES and XRES are equal, SN 120 has successfully authenticated MS 130. Finally, MS 130 computes (step 220) CK(i) and IK(i) while SN 120 selects CK(i) and IK(i).
FIG. 5 illustrates a cryptographic key hierarchy of the 3GPP AKA mechanism. A secret key K is the root secret shared only between the HE 110 and MS 130. Whenever mutual authentication is performed, a cipher key (CK) is generated to facilitate voice and data privacy.
Additionally, an integrity key (IK) is generated to facilitate message authentication.
The North American Telecommunications industry Association (TIA) TR-45 standards group has based AKA on a shared secret between HE 110, SN 120, and MS 130. In a TR-45 cellular/PCS network, HE 110 sends Shared Secret Data (SSD) to SN 120 to enable MS 130 to SN 120 authentication. SSD is derived from an Authentication key (A-key), shared between HE 110 and MS 130 only. The A-key is analogous to the GSM secret key K. SSD consists of SSD-A, used for MS 130 challenges response authentication, and SSD-B, used for SN/MS voice and data privacy. When MS 130 requests service from SN 120, HE 110 sends SSD to SN 120. With SSD, SN 120 can authenticate MS 130 until SSD is updated between HE 110 and MS 130.
Unlike a GSM network where SN 120 continuously requests new vectors of crypto-triplets to perform MS 130 authentication, SN 120 in a TR-45 network acquires unique SSD from HE 110 and uses SSD for the duration that MS 130 operates within the SN 120 area. Ideally, SSD update is performed between HE 110 and MS 130 after MS 130 leaves the SN 120 area to establish a new SSD, preventing SN 120 from knowing an SSD used by another service network. Unfortunately, many service providers do not update SSD frequently, allowing many service providers to know SSD-A which is the authentication secret for TR-45 cellular telephones.
The TIA TR-45 is considering adoption of the 3GPP AKA for TR-45 networks to support global harmonization of wireless communication standards. To retain the advantages of using a shared secret like SSD, the TR-45 is considering using the 3GPP IK key as SSD for third generation TR-45 wireless networks.
Additionally, the TR-45 is considering the adoption of the Long-term Enhanced Subscriber Authentication (LESA) AKA in which interlocking challenges provide mutual authentication between SN 120 and MS 130. In the LESA AKA mechanism, SN 120 sends a random number RN to MS 130. MS 130 generates a second random number RM. MS 130 computes a response to SN 120 by combining RN, RM, and SSD in a cryptographic primitive. MS 130 sends the response and random number RN, to SN 120. With RM, SN 120 computes the same response, authenticating MS 130. Then SN 120 computes a second response for MS 130 by combining RM and SSD in the cryptographic primitive. SN 120 sends the second response to MS 130. MS 130 verifies the second response, authenticating SN 120.
Finally, 3GPP has considered an AKA mechanism similar to the LESA AKA, known as Authentication based on a Temporary Key (A-TK). The A-TK AKA mechanism uses a procedure of interlocking challenges between HE 110 and MS 130 to establish a temporary key (KT). Once KT is established, SN 120 uses traditional challenge-response to authenticate MS 130. MS 130 authentication of SN 120, however, is not performed explicitly, but is implicitly achieved by the establishment of CK and IK based on random numbers provided by SN 120 and MS 130.